Skip to content

Commit 7104da0

Browse files
mameXrXr
mame
and
XrXr
authored
Apply suggestions from code review
Co-Authored-By: Alan Wu <XrXr@users.noreply.github.com>
1 parent edfa23d commit 7104da0

File tree

1 file changed

+3
-3
lines changed

1 file changed

+3
-3
lines changed

en/news/_posts/2020-03-19-json-dos-cve-2020-10663.md

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -6,17 +6,17 @@ date: 2020-03-19 22:00:00 +0900
66
lang: en
77
---
88

9-
There is unsafe object creation vulnerability in the json bundled with ruby. This vulnerability has been assigned the CVE identifier [CVE-2020-10663](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10663). We strongly recommend to upgrade JSON gem.
9+
There is an unsafe object creation vulnerability in the json gem bundled with Ruby. This vulnerability has been assigned the CVE identifier [CVE-2020-10663](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10663). We strongly recommend upgrading the json gem.
1010

1111
## Details
1212

1313
When parsing certain JSON documents, the JSON gem (including bundled versions with the Ruby packages) can be coerced in to creating arbitrary object in a target system.
1414

1515
This is the same issue as [CVE-2013-0269](https://www.ruby-lang.org/en/news/2013/02/22/json-dos-cve-2013-0269/). The previous fix was incomplete, which addressed `JSON.parse(user_input)`, but didn't address some other styles of JSON parsing including `JSON(user_input)` and `JSON.parse(user_input, nil)`.
1616

17-
See [CVE-2013-0269](https://www.ruby-lang.org/en/news/2013/02/22/json-dos-cve-2013-0269/) in detail. Note that the issue was exploitable to cause a Denial of Service by creating many garbage-uncollectable Symbol objects, but this kind of attack is no longer valid because Symbol objects are now garbage-collectable. However, creating arbitrary object may cause fatal consequence depending upon the application code.
17+
See [CVE-2013-0269](https://www.ruby-lang.org/en/news/2013/02/22/json-dos-cve-2013-0269/) in detail. Note that the issue was exploitable to cause a Denial of Service by creating many garbage-uncollectable Symbol objects, but this kind of attack is no longer valid because Symbol objects are now garbage-collectable. However, creating arbitrary objects may cause severe security consequences depending upon the application code.
1818

19-
Please update json gem 2.3.0 or later. You can use `gem update json` to update it. If you are using bundler, please add `gem "json", ">= 2.3.0"` to your `Gemfile`.
19+
Please update the json gem to version 2.3.0 or later. You can use `gem update json` to update it. If you are using bundler, please add `gem "json", ">= 2.3.0"` to your `Gemfile`.
2020

2121
## Affected versions
2222

0 commit comments

Comments
 (0)